b'Department of Health and Human Services\n                   OFFICE OF\n              INSPECTOR GENERAL\n\n\n\n  THE OFFICE FOR CIVIL RIGHTS\n   DID NOT MEET ALL FEDERAL\n REQUIREMENTS IN ITS OVERSIGHT\n    AND ENFORCEMENT OF THE\n HEALTH INSURANCE PORTABILITY\n    AND ACCOUNTABILITY ACT\n         SECURITY RULE\n\n\n\n  Inquiries about this report may be addressed to the Office of Public Affairs at\n                           Public.Affairs@oig.hhs.gov.\n\n\n\n                                                  Thomas M. Salmon\n                                               Assistant Inspector General\n\n                                                      November 2013\n                                                      A-04-11-05025\n\x0c                        Office of Inspector General\n                                         https://oig.hhs.gov\n\n\n\nThe mission of the Office of Inspector General (OIG), as mandated by Public Law 95-452, as amended, is\nto protect the integrity of the Department of Health and Human Services (HHS) programs, as well as the\nhealth and welfare of beneficiaries served by those programs. This statutory mission is carried out\nthrough a nationwide network of audits, investigations, and inspections conducted by the following\noperating components:\n\nOffice of Audit Services\n\nThe Office of Audit Services (OAS) provides auditing services for HHS, either by conducting audits with\nits own audit resources or by overseeing audit work done by others. Audits examine the performance of\nHHS programs and/or its grantees and contractors in carrying out their respective responsibilities and are\nintended to provide independent assessments of HHS programs and operations. These assessments help\nreduce waste, abuse, and mismanagement and promote economy and efficiency throughout HHS.\n\nOffice of Evaluation and Inspections\nThe Office of Evaluation and Inspections (OEI) conducts national evaluations to provide HHS, Congress,\nand the public with timely, useful, and reliable information on significant issues. These evaluations focus\non preventing fraud, waste, or abuse and promoting economy, efficiency, and effectiveness of\ndepartmental programs. To promote impact, OEI reports also present practical recommendations for\nimproving program operations.\n\nOffice of Investigations\nThe Office of Investigations (OI) conducts criminal, civil, and administrative investigations of fraud and\nmisconduct related to HHS programs, operations, and beneficiaries. With investigators working in all 50\nStates and the District of Columbia, OI utilizes its resources by actively coordinating with the Department\nof Justice and other Federal, State, and local law enforcement authorities. The investigative efforts of OI\noften lead to criminal convictions, administrative sanctions, and/or civil monetary penalties.\n\nOffice of Counsel to the Inspector General\nThe Office of Counsel to the Inspector General (OCIG) provides general legal services to OIG, rendering\nadvice and opinions on HHS programs and operations and providing all legal support for OIG\xe2\x80\x99s internal\noperations. OCIG represents OIG in all civil and administrative fraud and abuse cases involving HHS\nprograms, including False Claims Act, program exclusion, and civil monetary penalty cases. In\nconnection with these cases, OCIG also negotiates and monitors corporate integrity agreements. OCIG\nrenders advisory opinions, issues compliance program guidance, publishes fraud alerts, and provides\nother guidance to the health care industry concerning the anti-kickback statute and other OIG enforcement\nauthorities.\n\x0c                            Notices\n\n\n\n       THIS REPORT IS AVAILABLE TO THE PUBLIC\n                 at https://oig.hhs.gov\n\nSection 8L of the Inspector General Act, 5 U.S.C. App., requires that\nOIG post its publicly available reports on the OIG Web site.\n\nOFFICE OF AUDIT SERVICES FINDINGS AND OPINIONS\n\nThe designation of financial or management practices as questionable,\na recommendation for the disallowance of costs incurred or claimed,\nand any other conclusions and recommendations in this report represent\nthe findings and opinions of OAS. Authorized officials of the HHS\noperating divisions will make final determination on these matters.\n\x0c                                   EXECUTIVE SUMMARY\n\nBACKGROUND\n\nHealth Insurance Portability and Accountability Act of 1996\n\nThe Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the U.S.\nDepartment of Health and Human Services (HHS) to develop national standards for the use and\ndissemination of health care information, including standards to protect electronic protected\nhealth information (ePHI). To satisfy that requirement, HHS published the HIPAA Security\nRule (Security Rule), which describes the administrative, physical, and technical safeguards\nnecessary to ensure the confidentiality, integrity, and availability of ePHI.\n\nHealth Information Technology for Economic and Clinical Health Act\n\nAs part of the American Recovery and Reinvestment Act of 2009, Congress enacted the Health\nInformation Technology for Economic and Clinical Health Act (HITECH). HITECH extends\nthe Security Rule and its civil penalties for covered entities that do not comply with the Security\nRule to business associates of covered entities. HITECH also requires HHS to provide for\nperiodic audits of covered entities to ensure their compliance with HIPAA requirements.\n\nPrior Office of Inspector General Reports on Oversight of the Security Rule\n\nIn October 2008, we reported to the Centers for Medicare & Medicaid Services (CMS) that it\nhad taken limited actions to ensure covered entities complied with the Security Rule. At the time\nof our 2008 report, CMS had not conducted Security Rule compliance audits of covered entities\nand had not established policies or procedures for conducting those audits. We recommended\nthat CMS establish policies and procedures for conducting compliance audits of covered entities.\n\nIn our May 2011 report to the Office for Civil Rights (OCR) (after the delegation of\nresponsibility for the Security Rule to OCR in 2009), we summarized the results of our audits of\nCMS\xe2\x80\x99s oversight and enforcement of Security Rule implementation at seven hospitals. The\nreport disclosed numerous control weaknesses at the hospitals and demonstrated the need for\ngreater OCR oversight and enforcement. We also reported that, in 2009, CMS began conducting\nself-initiated compliance audits of covered entities. We recommended that OCR continue the\ncompliance-audit process that CMS had begun and implement procedures for conducting\ncompliance reviews.\n\nOBJECTIVES\n\nOur objectives were to determine whether: (1) OCR met Federal requirements for oversight and\nenforcement of the Security Rule and (2) OCR\xe2\x80\x99s computer systems used to oversee and enforce\nthe Security Rule met Federal cybersecurity requirements.\n\n\n\n\n                                                 i\n\x0cSUMMARY OF FINDINGS\n\nOCR met some Federal requirements for oversight and enforcement of the Security Rule. OCR\nmade available to covered entities guidance that promoted compliance with the Security Rule\nand OCR established an investigation process for responding to reported violations of the\nSecurity Rule. OCR also followed Federal regulations when imposing penalties for Security\nRule violators.\n\nHowever, OCR did not meet other Federal requirements critical to the oversight and enforcement\nof the Security Rule:\n\n   \xe2\x80\xa2   Although OCR made available to covered entities guidance that promoted compliance\n       with the Security Rule, it had not assessed the risks, established priorities, or\n       implemented controls for its HITECH requirement to provide for periodic audits of\n       covered entities to ensure their compliance with Security Rule requirements. As a result,\n       OCR had limited assurance that covered entities complied with the Security Rule and\n       missed opportunities to encourage those entities to strengthen their security over ePHI.\n\n   \xe2\x80\xa2   Although OCR established an investigation process for responding to reported violations\n       of the Security Rule, its Security Rule investigation files did not contain required\n       documentation supporting key decisions because its staff did not consistently follow\n       OCR investigation procedures by sufficiently reviewing investigation case\n       documentation. OCR had not implemented sufficient controls, including supervisory\n       review and documentation retention, to ensure investigators follow investigation policies\n       and procedures for properly initiating, processing, and closing Security Rule\n       investigations.\n\nIn addition, OCR had not fully complied with Federal cybersecurity requirements included in the\nNational Institute of Standards and Technology (NIST) Risk Management Framework for its\ninformation systems used to process and store investigation data because it focused on system\noperability to the detriment of system and data security. For example, OCR did not obtain HHS\nauthorizations to operate the three systems used to oversee and enforce the Security Rule. In\naddition, it did not complete privacy impact assessments, risk analyses, or system security plans\nfor two of the three systems. Exploitation of system vulnerabilities, normally identified through\nthe Risk Management process, could impair OCR\xe2\x80\x99s ability to perform functions vital to its\nmission.\n\nRECOMMENDATIONS\n\nWe recommend that OCR:\n\n   \xe2\x80\xa2   assess the risks, establish priorities, and implement controls for its HITECH auditing\n       requirements;\n\n   \xe2\x80\xa2   provide for periodic audits in accordance with HITECH to ensure Security Rule\n       compliance at covered entities;\n\n\n                                                ii\n\x0c   \xe2\x80\xa2   implement sufficient controls, including supervisory review and documentation retention,\n       to ensure policies and procedures for Security Rule investigations are followed; and\n\n   \xe2\x80\xa2   implement the NIST Risk Management Framework for systems used to oversee and\n       enforce the Security Rule.\n\nOFFICE FOR CIVIL RIGHTS COMMENTS AND OFFICE OF INSPECTOR\nGENERAL RESPONSE\n\nIn its comments on our draft report, OCR generally concurred with our recommendations and\ndescribed the actions it has taken to address them. In one of its comments, OCR stated that it\nhad contracted for the development of its audit mandate options, had developed an audit protocol,\nhad conducted pilot audits of covered entities, and was evaluating the results of its pilot audit\nprogram. However, OCR explained that no funds had been appropriated for it to maintain a\npermanent audit program and that funds used to support audit activities previously conducted were\nno longer available. OCR also provided technical comments, which we addressed as appropriate.\n\nWe remain concerned about OCR\xe2\x80\x99s ability to comply with the HITECH audit requirement and\nthe resulting limited assurance that ePHI is secure at covered entities because of OCR\xe2\x80\x99s comment\nregarding limited funding resources for its audit mandates. Furthermore, in response to one of\nOCR\xe2\x80\x99s technical comments, we changed our report language to clarify our finding on OCR\xe2\x80\x99s\noversight and enforcement of covered entity compliance with the Security Rule by removing a\nreference to Security Rule requirements. Although the Security Rule authorized compliance\nreviews of covered entities in 2006 by stating that OCR \xe2\x80\x9cmay conduct compliance reviews to\ndetermine\xe2\x80\x9d Security Rule compliance, HITECH changed the requirement in 2009 to state that\nOCR \xe2\x80\x9cshall provide for periodic audits to ensure\xe2\x80\x9d Security Rule compliance.\n\n\n\n\n                                               iii\n\x0c                                                  TABLE OF CONTENTS\n\n\nINTRODUCTION .........................................................................................................................1\n\n          BACKGROUND .................................................................................................................1\n              Health Insurance Portability and Accountability Act of 1996 ................................ 1\n              Health Information Technology for Economic and Clinical Health Act ................ 1\n              Delegation of Authority To Administer the Health Insurance\n                Portability and Accountability Act of 1996 Security Rule .................................. 1\n              Responsibilities of the Office for Civil Rights ....................................................... 1\n              Prior Office of Inspector General Reports on Oversight of the Security Rule ....... 2\n\n          OBJECTIVES, SCOPE, AND METHODOLOGY ............................................................ 2\n               Objectives ............................................................................................................... 2\n               Scope ....................................................................................................................... 2\n               Methodology ........................................................................................................... 3\n\nFINDINGS AND RECOMMENDATIONS ............................................................................... 4\n\n          OFFICE FOR CIVIL RIGHTS PARTIALLY MET REGULATORY\n           REQUIREMENTS FOR OVERSIGHT AND ENFORCEMENT .................................. 5\n               Periodic Audits Not Provided For........................................................................... 5\n               Insufficient Records for Security Rule Investigations ............................................ 5\n\n          SYSTEMS DID NOT FULLY COMPLY WITH FEDERAL CYBERSECURITY\n           REQUIREMENTS ........................................................................................................... 6\n\n          RECOMMENDATIONS .................................................................................................... 7\n\n          OFFICE FOR CIVIL RIGHTS COMMENTS ................................................................... 8\n\n          OFFICE OF INSPECTOR GENERAL RESPONSE ......................................................... 8\n\nAPPENDIXES\n\n          A: FEDERAL REQUIREMENTS AND OFFICE FOR CIVIL RIGHTS PROCEDURES\n\n          B: OFFICE FOR CIVIL RIGHTS COMMENTS\n\n\n\n\n                                                                     iv\n\x0c                                                   INTRODUCTION\n\nBACKGROUND\n\nHealth Insurance Portability and Accountability Act of 1996\n\nThe Health Insurance Portability and Accountability Act of 1996 (HIPAA) (P.L. No. 104-191)\nrequired the U.S. Department of Health and Human Services (HHS) to develop national\nstandards for the use and dissemination of health care information, including standards to protect\nelectronic protected health information (ePHI). These standards are applicable to the three types\nof covered entities: health plans, healthcare clearinghouses, and certain healthcare providers.\n\nTo satisfy the requirement to develop national standards to protect ePHI, HHS published the\nHIPAA Security Rule (Security Rule) in 45 CFR parts 160, 162, and 164. The Security Rule\ndescribes the administrative, physical, and technical safeguards necessary to ensure the\nconfidentiality, integrity, and availability of ePHI.\n\nHealth Information Technology for Economic and Clinical Health Act\n\nAs part of the American Recovery and Reinvestment Act of 2009 (P.L. No. 111-5), Congress\nenacted the Health Information Technology for Economic and Clinical Health Act (HITECH).\nHITECH extended the Security Rule and related civil penalties to business associates of covered\nentities. 1 HITECH also requires HHS to provide for periodic audits of covered entities to ensure\ncompliance with HIPAA requirements (subtitle D, part 1, \xc2\xa7 13411).\n\nDelegation of Authority To Administer the Health Insurance Portability and\nAccountability Act of 1996 Security Rule\n\nOn October 7, 2003, HHS delegated to the Centers for Medicare & Medicaid Services (CMS) the\nauthority to enforce compliance with the Security Rule and to impose civil monetary penalties on\ncovered entities that violate it. The Final Rule for enforcement of the Security Rule became\neffective on March 16, 2006 (71 Fed. Reg. 8390 (Feb. 16, 2006)).\n\nOn July 27, 2009, HHS delegated the authority for the oversight and enforcement of the Security\nRule to the Office for Civil Rights (OCR).\n\nResponsibilities of the Office for Civil Rights\n\nAs HHS\xe2\x80\x99s civil rights, health information privacy, and security enforcement division, OCR\xe2\x80\x99s\npurpose is to protect fundamental rights of nondiscrimination and ensure compliance with health\ninformation privacy and security laws. As of July 27, 2009, OCR became responsible for\nensuring that covered entities comply with the Security Rule and for investigating and resolving\npotential HIPAA violations. The HITECH Act requires OCR to provide for periodic audits of\n\n1\n    In this audit report, we used the term \xe2\x80\x9ccovered entities\xe2\x80\x9d also to refer to the business associates of covered entities.\n\n\n                                                              1\n\x0ccovered entities, while Federal regulations grant OCR the leeway to resolve matters involving\nindications of noncompliance informally 2 or to impose civil monetary penalties if it determines\nthat a covered entity has violated a Security Rule requirement. OCR is also required to comply\nwith Federal internal control and cybersecurity requirements.\n\nPrior Office of Inspector General Reports on Oversight of the Security Rule\n\nIn October 2008, we reported to CMS 3 that it had taken limited actions to ensure that covered\nentities complied with the requirements of the Security Rule. At the time of our report, CMS had\nnot conducted any Security Rule compliance audits of covered entities and had not established\nany policies or procedures for conducting them. We recommended that CMS establish policies\nand procedures for conducting compliance audits of covered entities.\n\nIn a May 2011 report to OCR, 4 we summarized the results of our reviews of CMS\xe2\x80\x99s oversight\nand enforcement of Security Rule implementation at seven hospitals located in California,\nGeorgia, Illinois, Massachusetts, Missouri, New York, and Texas. The report disclosed\nnumerous control weaknesses at the hospitals and demonstrated the need for greater OCR\noversight and enforcement. We also reported that, in 2009, CMS began conducting self-initiated\ncompliance audits of covered entities. We recommended that OCR continue the compliance\naudit process that CMS had begun and implement procedures for conducting compliance audits\nto ensure that Security Rule controls are in place and operating as intended to protect ePHI at\ncovered entities.\n\nOBJECTIVES, SCOPE, AND METHODOLOGY\n\nObjectives\n\nOur objectives were to determine whether: (1) OCR met Federal requirements for oversight and\nenforcement of the Security Rule and (2) OCR\xe2\x80\x99s computer systems used to oversee and enforce\nthe Security Rule met Federal cybersecurity requirements.\n\nScope\n\nWe performed our fieldwork at OCR\xe2\x80\x99s headquarters in Washington, DC, and its Atlanta regional\noffice. We assessed OCR\xe2\x80\x99s Security Rule oversight and enforcement for the period July 2009\nthrough May 2011 and its computer systems as of May 2011.\n\n\n\n\n2\n \xe2\x80\x9cInformal means\xe2\x80\x9d may include demonstrated compliance, a completed corrective action plan, or other agreements\n(45 CFR \xc2\xa7 160.312).\n3\n On October 27, 2008, we issued a report to CMS entitled Nationwide Review of the Centers for Medicare\n& Medicaid Services Health Insurance and Portability and Accountability Act of 1996 Oversight (A-04-07-05064).\n4\n On May 16, 2011, we issued a report to OCR entitled Nationwide Rollup Review of the Centers for Medicare\n& Medicaid Services Health Insurance Portability and Accountability Act of 1996 Oversight (A-04-08-05069).\n\n                                                       2\n\x0cMethodology\n\nTo accomplish our objectives, we:\n\n   \xe2\x80\xa2   reviewed Federal laws and regulations pertaining to ePHI and cybersecurity;\n\n   \xe2\x80\xa2   reviewed OCR\xe2\x80\x99s policies, processes, systems, and applications used to oversee and\n       enforce the Security Rule;\n\n   \xe2\x80\xa2   assessed OCR\xe2\x80\x99s oversight and enforcement of the Security Rule as applied to covered\n       entities;\n\n   \xe2\x80\xa2   evaluated the risk assessment OCR used to allocate its oversight and enforcement\n       resources;\n\n   \xe2\x80\xa2   reviewed OCR\xe2\x80\x99s use of civil monetary penalties for Security Rule violations;\n\n   \xe2\x80\xa2   interviewed OCR staff members in Washington, D.C.; Atlanta, Georgia; Boston,\n       Massachusetts; Chicago, Illinois; and Philadelphia, Pennsylvania; to understand their\n       interpretation of and processes for implementing and enforcing the Security Rule;\n\n   \xe2\x80\xa2   assessed OCR\xe2\x80\x99s guidance to covered entities regarding the Security Rule;\n\n   \xe2\x80\xa2   reviewed OCR\xe2\x80\x99s contracts and interviewed contractor personnel who performed technical\n       analyses and provided recommendations to OCR regarding potential Security Rule\n       violations;\n\n   \xe2\x80\xa2   judgmentally selected 30 closed and 30 open investigations from 364 investigations of\n       potential Security Rule violations conducted between July 2009 and February 2011; and\n\n   \xe2\x80\xa2   interviewed the OCR official responsible for overseeing investigations and supervising\n       regional OCR staff.\n\nWe conducted this performance audit in accordance with generally accepted government\nauditing standards. Those standards require that we plan and perform the audit to obtain\nsufficient, appropriate evidence to provide a reasonable basis for our findings and conclusions\nbased on our audit objectives. We believe that the evidence obtained provides a reasonable basis\nfor our findings and conclusions based on our audit objectives.\n\n\n\n\n                                               3\n\x0c                          FINDINGS AND RECOMMENDATIONS\n\nOCR met some Federal requirements for oversight and enforcement of the Security Rule:\n\n   \xe2\x80\xa2   OCR made available to covered entities guidance to promote compliance with the\n       Security Rule.\n\n   \xe2\x80\xa2   OCR established an investigation process for responding to reported violations of the\n       Security Rule.\n\n   \xe2\x80\xa2   OCR followed Federal regulations for penalizing Security Rule violators. It closed 147\n       of 364 Security Rule investigations from July 2009 through February 2011. Although\n       OCR might have been able to impose civil monetary penalties for some of the most\n       severe violations, OCR followed Federal requirements by resolving those cases\n       informally.\n\nHowever, OCR did not meet other Federal requirements for the oversight and enforcement of the\nSecurity Rule:\n\n   \xe2\x80\xa2   Although OCR made available to covered entities guidance to promote compliance with\n       the Security Rule, it had not assessed the risks, established priorities, or implemented\n       controls for its HITECH requirement to provide for periodic audits of covered entities to\n       ensure their compliance with Security Rule requirements. As a result, OCR had limited\n       assurance that covered entities complied with the Security Rule and missed opportunities\n       to encourage those entities to strengthen their security over ePHI.\n\n   \xe2\x80\xa2   Although OCR established an investigation process for responding to reported violations\n       of the Security Rule, its Security Rule investigation files did not contain required\n       documentation supporting key decisions made during those investigations because its\n       staff did not consistently follow OCR investigation procedures by sufficiently reviewing\n       investigation case documentation. OCR had not implemented sufficient controls,\n       including supervisory review and documentation retention, to ensure investigators follow\n       investigation policies and procedures for properly initiating, processing, and closing\n       Security Rule investigations. By not consistently following its investigation procedures\n       and reviewing case documentation, OCR had limited assurance that it had identified and\n       mitigated vulnerabilities to ePHI during Security Rule investigations.\n\nIn addition, OCR had not fully complied with Federal cybersecurity requirements included in the\nNational Institute of Standards and Technology (NIST) Risk Management Framework for its\ninformation systems used to process and store investigation data because it focused on system\noperability to the detriment of system and data security. For example, OCR did not obtain HHS\nauthorizations to operate the three systems used to oversee and enforce the Security Rule. In\naddition, it did not complete privacy impact assessments, risk analyses, and system security plans\nfor two of the three systems. Exploitation of unaddressed system vulnerabilities normally\nidentified through the Risk Management process, could impair OCR\xe2\x80\x99s ability to perform\nfunctions vital to its mission.\n\n                                                4\n\x0cOFFICE FOR CIVIL RIGHTS PARTIALLY MET REGULATORY REQUIREMENTS\nFOR OVERSIGHT AND ENFORCEMENT\n\nPeriodic Audits Not Provided For\n\nHITECH requires OCR to provide for periodic audits to ensure that covered entities and their\nbusiness associates comply with Security Rule requirements (HITECH Act, section 13411). The\nOffice of Management and Budget (OMB) Circular A-123, Management\xe2\x80\x99s Responsibility for\nInternal Control, requires management to establish and maintain controls to comply with\napplicable laws and regulations. It further states that management should perform risk\nassessments to identify the most significant areas in which to place or enhance controls.\n\nOCR did not provide for periodic audits of covered entities in accordance with these Federal\nrequirements. Instead, OCR continued to follow the complaint-driven approach developed\njointly by CMS and OCR but discontinued the compliance-audit process that CMS had begun in\n2009.\n\nOCR had not established controls for complying with HITECH\xe2\x80\x99s auditing requirements. For\nexample, OCR had not assessed which entities or what systems used for storing or processing\nePHI presented the greatest risk of ePHI exposure. Instead of assessing the risks, establishing\npriorities, and implementing controls for the redelegated Security Rule and the HITECH\nrequirements, OCR applied the resources and procedures it had been using for its responsibilities\nin civil rights and health privacy oversight and enforcement before the redelegation.\n\nOCR allocated its resources to manage an increasing number of Security Rule investigations\noriginating primarily from press reports, reported breaches affecting 500 or more individuals,\nand complaints from the public. OCR officials stated that OCR did not have sufficient resources\nto expand its compliance efforts beyond event-driven compliance investigations. In addition,\nOCR did not have the expertise needed to meet its Security Rule and HITECH responsibilities,\nwhich include the ability to audit security controls for systems that process and store ePHI. 5\n\nBecause OCR did not perform the compliance audits mandated by HITECH, it had limited\ninformation about the status of Security Rule compliance at covered entities. Therefore, it had\nlimited assurance that ePHI was secure and might have missed opportunities to motivate covered\nentities to strengthen ePHI security. The cumulative results of an audit program would also have\nhelped OCR better understand the areas in which ePHI was vulnerable and might have helped\nOCR develop more effective ways to allocate its oversight resources.\n\nInsufficient Records for Security Rule Investigations\n\nOCR\xe2\x80\x99s publication, Dual Process Complaint Manual: The Process and Workflow for Security\nRule and Dual Process Complaints, requires designated OCR headquarters and regional\npersonnel to update the Compliance Data System (CDS) as needed with all documentation\n5\n An evaluation of budget and staffing to determine whether OCR had sufficient resources and staff expertise to\nmeet its responsibilities was outside the scope of this review. Therefore, we have not made any recommendations to\naddress the issues raised by OCR officials.\n\n                                                        5\n\x0crequired to initiate, process, and close Security Rule investigations. OMB Circular A-123\nrequires management to establish and maintain controls to achieve the objectives of effective and\nefficient operations.\n\nSecurity Rule investigation records did not contain documentation needed to support key\ndecisions made during those investigations. Specifically, 39 of 60 selected records were missing\n1 or more of the documents necessary to initiate, process, or close those investigations.\nExamples of missing documentation included initial complaint documents, closure letters, and\ndocuments required for tracking complaint status through the Security Rule investigation\nprocess.\n\nOCR Security Rule investigation records were missing documentation because OCR\ninvestigators did not consistently follow OCR\xe2\x80\x99s policies and procedures for documenting case\ninvestigations and OCR management did not implement sufficient controls, such as supervisory\nreviews, to ensure that the investigators did so.\n\nWithout adequate supporting documentation for tracking investigations, such as initial complaint\nand case progress-tracking forms, OCR management could not be certain that its investigators\nconducted Security Rule investigations properly. In addition, OCR management could not be\ncertain that it identified and mitigated problems related to the initial complaints during the\ninvestigation process. Without a closure letter, OCR management could not be certain that OCR\nhad approved a covered entity\xe2\x80\x99s mitigation strategy.\n\nSYSTEMS DID NOT FULLY COMPLY WITH FEDERAL CYBERSECURITY\nREQUIREMENTS\n\nThe Federal Information Security Management Act of 2002 (FISMA) requires each Federal\nagency to develop, document, and implement an agencywide program to provide information\nsecurity for the information and information systems that support the operations and assets of the\nagency, including those provided or managed by another agency, contractor, or source. HHS\nrequires its operating and staff divisions to follow FISMA and other Federal cybersecurity\nrequirements for the secure development, operation, and maintenance of information systems.\nMore specifically, HHS requires security authorizations, privacy impact assessments, risk\nanalyses, and system security plans for Federal information systems (HHS Standard for FISMA\nInventory Management). The detailed requirements are in Appendix A.\n\nOCR\xe2\x80\x99s computer systems used to store, retrieve, and track Security Rule oversight and\nenforcement data did not fully comply with Federal cybersecurity requirements. OCR had not\nfully implemented the NIST Risk Management Framework 6 for three of its Security Rule\noversight systems: the Program Information Management System (PIMS), the CDS, and the\nBreach Notification system. More specifically, OCR did not:\n\n\n6\n  NIST\xe2\x80\x99s Risk Management Framework provides a structured process and information to help organizations identify\nthe risks to their information systems, assess those risks, and take steps to reduce risks to an acceptable level.\nAvailable online at http://csrc.nist.gov/publications/nistbul/july2009_risk-management-framework.pdf. Accessed\non July 2, 2012.\n\n                                                        6\n\x0c   \xe2\x80\xa2   obtain HHS authorizations to operate its PIMS, CDS, or Breach Notification system;\n\n   \xe2\x80\xa2   complete a privacy impact assessment and risk analysis for the CDS or the Breach\n       Notification system;\n\n   \xe2\x80\xa2   develop a system security plan for the CDS and the Breach Notification systems; or\n\n   \xe2\x80\xa2   implement additional Federal security requirements not included above for its Breach\n       Notification system.\n\nIn general, OCR management focused on the operability of the systems used for HIPAA\noversight and enforcement by its predecessor CMS when OCR was delegated additional Security\nRule and HITECH responsibilities and did not focus on securing the systems used to store,\nretrieve, process, and track Security Rule oversight and enforcement data. OCR copied,\nrenamed, and partially modified the CMS Administrative Simplification Enforcement Tool\nsystem into its CDS system to receive, maintain, and process Security Rule investigation data.\nHowever, OCR management did not give Federal cybersecurity requirements sufficient priority\nand, consequently, did not complete Risk Management Framework requirements for its PIMS,\nCDS, or Breach Notification system. Further, the underlying reason OCR\xe2\x80\x99s Breach Notification\nsystem did not meet Federal cybersecurity requirements was that OCR management had not\nclassified it properly as a system subject to Federal cybersecurity requirements.\n\nAlthough we found no evidence that anyone had compromised OCR\xe2\x80\x99s sensitive information or\ninformation systems, by not complying with Federal cybersecurity requirements, OCR increased\nthe risk that it might not identify or mitigate system vulnerabilities. Exploitation of any of those\nsystem vulnerabilities could impair OCR\xe2\x80\x99s ability to perform various business processes,\nincluding compliance activities, real-time access and results reporting, timely responses to\ncomplaints, and completion of investigations. It also could increase the risk of unauthorized\ndisclosure or destruction of ePHI.\n\nRECOMMENDATIONS\n\nWe recommend that OCR:\n\n   \xe2\x80\xa2   assess the risks, establish priorities, and implement controls for its HITECH auditing\n       requirements;\n\n   \xe2\x80\xa2   provide for periodic audits in accordance with HITECH to ensure Security Rule\n       compliance at covered entities;\n\n   \xe2\x80\xa2   implement sufficient controls, including supervisory review and documentation retention,\n       to ensure policies and procedures for Security Rule investigations are followed; and\n\n   \xe2\x80\xa2   implement the NIST Risk Management Framework for systems used to oversee and\n       enforce the Security Rule.\n\n\n                                                 7\n\x0cOFFICE FOR CIVIL RIGHTS COMMENTS\n\nIn its comments on our draft report, OCR generally concurred with our recommendations and\ndescribed the actions it has taken to address them. In one of its comments, OCR stated that it\nhad contracted for the development of its audit mandate options, had developed an audit protocol,\nhad conducted pilot audits of covered entities, and was evaluating the results of its pilot audit\nprogram. However, OCR explained that no funds had been appropriated for it to maintain a\npermanent audit program and that funds used to support audit activities previously conducted were\nno longer available. OCR also provided technical comments, which we addressed as appropriate.\nOCR\xe2\x80\x99s comments, excluding technical comments, are included as Appendix B.\n\nOFFICE OF INSPECTOR GENERAL RESPONSE\n\nWe remain concerned about OCR\xe2\x80\x99s ability to comply with the HITECH audit requirement and\nthe resulting limited assurance that ePHI is secure at covered entities because of OCR\xe2\x80\x99s comment\nregarding limited funding resources for its audit mandates. Furthermore, in response to one of\nOCR\xe2\x80\x99s technical comments, we changed our report language to clarify our finding on OCR\xe2\x80\x99s\noversight and enforcement of covered entity compliance with the Security Rule by removing a\nreference to Security Rule requirements. Although the Security Rule authorized compliance\nreviews of covered entities in 2006 by stating that OCR \xe2\x80\x9cmay conduct compliance reviews to\ndetermine\xe2\x80\x9d Security Rule compliance, HITECH changed the requirement in 2009 to state that\nOCR \xe2\x80\x9cshall provide for periodic audits to ensure\xe2\x80\x9d Security Rule compliance.\n\n\n\n\n                                                8\n\x0cAPPENDIXES\n\x0c                                                                                         Page 1 of 4\n\n\n   APPENDIX A: FEDERAL REQUIREMENTS AND OFFICE FOR CIVIL RIGHTS\n                           PROCEDURES\n\nPERIODIC AUDIT REQUIREMENTS\n\nBefore HITECH mandated periodic audits of covered entities and business associates, HIPAA\nauthorized compliance reviews of covered entities.\n\nHHS published the Security Rule, which describes the administrative, physical, and technical\nsafeguards necessary to ensure the confidentiality, integrity, and availability of ePHI. Under the\nSecurity Rule:\n\n       The Secretary may conduct compliance reviews to determine whether covered\n       entities are complying with the applicable requirements of this part 160 and the\n       applicable standards, requirements, and implementation specifications of subpart\n       E of part 164 of this subchapter (45 CFR \xc2\xa7 160.308).\n\nHITECH (section 13411) stipulates that \xe2\x80\x9c[t]he Secretary shall provide for periodic audits to\nensure that covered entities and business associates ... comply with [Security Rule]\nrequirements.\xe2\x80\x9d\n\nSECURITY RULE ENFORCEMENT REQUIREMENTS\n\nFederal regulations (45 CFR \xc2\xa7 160.402 (a)) state that the Secretary will impose a civil money\npenalty on a covered entity if the Secretary determines that the covered entity has violated a\nSecurity Rule requirement.\n\nAdditional regulations (45 CFR \xc2\xa7 160.312) state that: \xe2\x80\x9c(1) If an investigation of a complaint \xe2\x80\xa6\nor a compliance review \xe2\x80\xa6 indicates noncompliance, the Secretary will attempt to reach a\nresolution of the matter satisfactory to the Secretary by informal means. Informal means may\ninclude demonstrated compliance, a completed corrective action plan, or other agreements.\xe2\x80\x9d\n\nOCR publication Dual Process Complaint Manual: The Process and Workflow for Security Rule\nand Dual Process Complaints (the manual) applies to Security Rule cases. The manual states\nthat designated OCR headquarters and regional personnel will update the Compliance Data\nSystem as needed with all documentation required to initiate, process, and close a Security Rule\ninvestigation.\n\nINTERNAL CONTROL REQUIREMENTS\n\nOMB Circular No. A-123 states: \xe2\x80\x9c[m]anagement is responsible for establishing and maintaining\ninternal control to achieve the objectives of effective and efficient operations, reliable financial\nreporting, and compliance with applicable laws and regulations. Management shall consistently\napply the internal control standards to meet each of the internal control objectives and to assess\ninternal control effectiveness.\xe2\x80\x9d\n\x0c                                                                                         Page 2 of 4\n\n\nIt further states that internal control is a:\n\n        \xe2\x80\xa6means of managing the risk associated with Federal programs and operations.\n        Managers should define the control environment (e.g., programs, operations, or\n        financial reporting) and then perform risk assessments to identify the most\n        significant areas within that environment in which to place or enhance internal\n        control. The risk assessment is a critical step in the process to determine the\n        extent of controls. Once significant areas have been identified, control activities\n        should be implemented. Continuous monitoring and testing should help to\n        identify poorly designed or ineffective controls and should be reported upon\n        periodically\xe2\x80\xa6.\n\nFEDERAL CYBERSECURITY REQUIREMENTS\n\nFISMA requires each Federal agency to develop, document, and implement an agencywide\nprogram to provide information security for the information and information systems that\nsupport the operations and assets of the agency, including those provided or managed by another\nagency, contractor, or other source.\n\nFederal Information Processing Standards Publication Minimum Security Requirements for\nFederal Information and Information Systems (FIPS 200) requires information systems to\ncomply with the most recent edition of NIST Special Publication (SP) 800-53, Recommended\nSecurity Controls for Federal Information Systems. FIPS 200 states: \xe2\x80\x9cOrganizations must meet\nthe minimum security requirements in this standard by selecting the appropriate security controls\nand assurance requirements as described in NIST [SP] 800-53\xe2\x80\xa6. Organizations must use the\nmost current version of NIST [SP] 800-53, as amended, for the security control selection\nprocess.\xe2\x80\x9d\n\nThe HHS Office of Chief Information Officer (OCIO) policy, HHS-OCIO Policy for Information\nSystems Security and Privacy (HHS-OCIO-2011-0003), section 4, established U.S. Government\nmandates for the secure development, operation, and maintenance of information systems in\nHHS and its Operating Divisions/Staff Divisions (OPDIVs/STAFFDIVs).\n\nSections 4.1.1 and 4.1.2 state:\n\n        OPDIVs/STAFFDIVs shall use NIST \xe2\x80\xa6 SP 800-37 Revision (Rev.) 1, Guide for\n        Applying the Risk Management Framework to Federal Information Systems: A\n        Security Life Cycle Approach (dated February 2010), as the methodology for the\n        security authorization of information systems (formerly known as \xe2\x80\x9ccertification\n        and accreditation\xe2\x80\x9d or \xe2\x80\x9cC&A\xe2\x80\x9d), in accordance with FISMA and direction from\n        OMB\xe2\x80\xa6. OPDIVs/STAFFDIVs shall comply with Department minimum\n        requirements when preparing security authorization packages for information\n        systems.\n\x0c                                                                                      Page 3 of 4\n\n\nNIST SP 800-53, Revision 3, in section CA-2, Security Assessment, states:\n\n       The organization:\n\n   a. Develops a security assessment plan that describes the scope of the assessment\n      including:\n\n       1) Security controls and control enhancements under assessment;\n       2) Assessment procedures to be used to determine security control effectiveness;\n          and\n       3) Assessment environment, assessment team, and assessment roles and\n          responsibilities;\n\n   b. Assesses the security controls in the information system \xe2\x80\xa6 to determine the\n      extent to which the controls are implemented correctly, operating as intended, and\n      producing the desired outcome with respect to meeting the security requirements\n      for the system;\n\n   c. Produces a security assessment report that documents the results of the\n      assessment; and\n\n   d. Provides the results of the security control assessment, in writing, to the\n      authorizing official or authorizing official designated representative.\n\nThe HHS Standard for FISMA Inventory Management policy (HHS Inventory Policy) requires\nall HHS information technology systems to be recorded through the HHS FISMA reporting tool\nand the following to be documented:\n\n   \xe2\x80\xa2   System type (i.e., GSS [general support system], major application, or minor\n       application)\xe2\x80\xa6;\n\n   \xe2\x80\xa2   Information type(s) and corresponding FIPS 199 risk impact levels (i.e.,\n       categorizations) for the individual information types and for the IT system;\n\n   \xe2\x80\xa2   Privacy Impact Assessment (PIA);\n\n   \xe2\x80\xa2   e-Authentication risk assessment completion date and highest authentication\n       assurance level; and\n\n   \xe2\x80\xa2   Weaknesses and corrective actions within a POA&M [Plan of Actions and\n       Milestones]. The GSS or major application POA&M must account for the\n       weaknesses of all applications (major or minor, as applicable) within its\n       accreditation boundary.\n\nThe HHS Inventory Policy also requires all HHS information technology systems to be certified\nand accredited in accordance with NIST and HHS guidance. The scope of the certification and\n\x0c                                                                                        Page 4 of 4\n\n\naccreditation shall be commensurate with the FIPS 199 risk impact level of the system and\ndocument a Risk Assessment, Security Assessment Report, POA&M, and accreditation decision\nletter with corresponding full Authorization to Operate. The scope should also include a current\nSystem Security Plan and an Information Technology Contingency Plan.\n\nNIST SP 800-37, Guide for Applying the Risk Management Framework to Federal Information\nSystems\xe2\x80\x94A Security Life Cycle Approach, revision 1, section 2.1, states that, to fulfill the Risk\nManagement Framework, organizations must:\n\n   \xe2\x80\xa2   Categorize the information system and the information processed, stored, and\n       transmitted by that system based on an impact analysis.\n\n   \xe2\x80\xa2   Select an initial set of baseline security controls for the information system based\n       on the security categorization; tailoring and supplementing the security control\n       baseline as needed based on an organizational assessment of risk and local\n       conditions.\n\n   \xe2\x80\xa2   Implement the security controls and describe how the controls are employed\n       within the information system and its environment of operation.\n\n   \xe2\x80\xa2   Assess the security controls using appropriate assessment procedures to determine\n       the extent to which the controls are implemented correctly, operating as intended,\n       and producing the desired outcome with respect to meeting the security\n       requirements for the system.\n\n   \xe2\x80\xa2   Authorize information system operation based on a determination of the risk to\n       organizational operations and assets, individuals, other organizations, and the\n       Nation resulting from the operation of the information system and the decision\n       that this risk is acceptable.\n\n   \xe2\x80\xa2   Monitor the security controls in the information system on an ongoing basis\n       including assessing control effectiveness, documenting changes to the system or\n       its environment of operation, conducting security impact analyses of the\n       associated changes, and reporting the security state of the system to designated\n       organizational officials.\n\x0c                                                                                                                        Page 1 of6\n\n\n                     APPENDIX B: OFFICE FOR CIVIL RIGHTS COMMENTS \n\n\n\n\n("~                  \t\n                DEPARTMENT OF HEALTH & HUMAN SERV!C&S                                         Office of the Secretary\n\n~~.~.-:::z~\n                                                                                              Director\n                                                                                              Office for Civil Rights\n                                                                                              Washington, D.C. 2020 1\n\n\n\n\n              September 26, 20 I 3\n\n              MEMORANDUM\n\n              TO: \t          Thomas M. Salmon \n\n                             Assistant Inspector neral for Audit Services \n\n\n              FROM: \t        Leon Rodriguez \n\n                             Director \n\n\n              SUBJECT: \t The Office for C il Rights Did N ot Meet All Federal Requirements in its\n                         Oversight and Enforcement of the Health [nsurance Portability and\n                         Accountability Act Security Rule (A-04-11-05025)\n\n\n              Thank you for the opportunity to review the subject draft report. The Office for Civil Rights\n              (OCR) appreciates the eftorts and recommendations of the Office of the Inspector General\n              (OIG). As detailed below, OCR has made significant progress in addressi ng the\n\n              recommendations in the draft report. \xe2\x80\xa2 \xe2\x80\xa2 \xe2\x80\xa2 \xe2\x80\xa2 \xe2\x80\xa2 \xe2\x80\xa2 \xe2\x80\xa2 \xe2\x80\xa2 \xe2\x80\xa2 \xe2\x80\xa2 \xe2\x80\xa2 \xe2\x80\xa2 \xe2\x80\xa2 \xe2\x80\xa2 \xe2\x80\xa2 \xe2\x80\xa2 \xe2\x80\xa2 \xe2\x80\xa2 \xe2\x80\xa2\n\n                 I\n\n\n\n\n                 I\n\n\n                                                               1\n\n                         Office of Inspector General Not e - Technical comments in the auditee\'s\n                         response to the draft have been omitted from the final report and all appropriate\n                         changes have been made.\n\x0c                                                                                                     Page 2 of6\n\n\n\n\n   I\n\n\n   I\n\n\n\n\nResponses to Recommendations:\n1) Assess tbe risks, establish priorities, and implement controls for its Security Rule and\n   HITECH requirements\nThe Office for Civil Rights (OCR) has developed and executed a series of strategic initiatives to\nimplement the Security Rule and HITECH requirements. OCR was a partner in the development\nofHHS\' s Federal Health IT Strategic Plan for 2011-2015, which describes the Federal\ngovernment\'s strategy to implement the HITECH Act\'s initiatives across the Department with a\ngoal toward improving health and health care for all Americans through use of health\ninformation and technology. Goallll of the Federal Health IT Strategic Plan focuses on Federal\nprivacy and security efforts so that electronic health information will be protected and used\nappropriately within health IT systems in patient care.\nOCR issued final rules in January 2013 to implement modifications to the Health Insurance\nPortability and Accountability Act (HIPAA) Privacy, Security, Breach Notification, and\nEnforcement Rules, as required by the HITECH Act. This rule effectively extends the use and\ndisclosure requirements of the Privacy Rule, as well as the provisions of the Security Rule to the\ncontractors of health care providers and health plans ("business associates") covered by HIPAA,\nas well as their subcontractors.\nOCR has enhanced enforcement of the HIPAA Rules. From 2008 through 2012, OCR obtained\ncorrective action from covered entities in more than 13,000 cases in which our investigations\nfound indications of noncompliance with HIPAA. During the same period, OCR reached\nresolution agreements with covered entities in 11 cases. The payments resulting from these ll\nresolution agreements total approximately $10 million. OCR has also imposed a civil monetary\npenalty ofabout $4 million in one case in which the covered entity failed for up to a year and a\nhalfto provide 41 individuals with access to their health information, as required by the HIPAA\nPrivacy Rule, and failed to cooperate with OCR\xe2\x80\xa2s investigation.\n\n\n                                                2\n\n         Office of Inspector General Note - Technical comments in the auditee\'s\n         response to the draft have been omitted from the fmal repmt and all appropriate\n         changes have been made.\n\x0c                                                                                                                Page 3 of6\n\n\n\n\nOCR continues to develop privacy and security-oriented technical assistance materials for\nHIPAA covered entities and business associates:\n\n           \xe2\x80\xa2 \t OCR developed guidance to assist organizations in identifying and implementing the\n               most effective and appropriate administrative, physical, and technical safeguards to\n               secure e-PHI through conducting a risk analysis oftheir information systems that\n               handle e-PHI.\n           \xe2\x80\xa2 \t OCR provided technical assistance in the development of the NIST HIPAA Security\n               Toolkit Application, a self-assessment survey intended to help organizations better\n               understand the requirements of the HIP AA Security Rule.\n           \xe2\x80\xa2 \t ONC and OCR partnered to develop tools and resources to help providers meet\n               privacy and security requirements addressing the security of ePHI when using mobile\n               devices and developed a videogame that provides privacy and security training for\n               health care professionals.\n           \xe2\x80\xa2 \t OCR has developed 2 educational videos that raise awareness about safeguarding\n               electronic health information and the requirements of the Security Rule. These videos\n               are available through the "You Tube" Internet website.\n           \xe2\x80\xa2 \t OCR has developed video training modules that provide health care professionals and\n               staff with information on the requirements of the Security Rule, the importance of\n               conducting an information security risk analysis, and the importance of safeguarding\n               mobile devices. These video titles are available on the Medscape Internet website.\n\n\n\n2) Provide for periodic audits in accordance with HITECH to ensure Security Rule\n   compliance at covered entities\n\nSection 13411 ofthe HITECH Act states that the Department shall provide for periodic audits of\ncovered entities and business associates that are subject to the requirements ofthe HITECH Act\nand the HIPAA Rules to ensure compliance with such requirements. Since 2010, OCR has made\nsignificant strides to develop and implement an audit program to ensure the compliance of\ncovered entities and business associates with the HIPAA Privacy, Security, and Breach\nNotification Rules. OCR has contracted for the development of options for implementation of\nthe audit mandate, developed a comprehensive audit protocol that also serves as a guide for\nentity compliance, conducted 115 audits of covered entities, and initiated an evaluation of the\naudit program conducted to date to inform decision making about future audits. While OCR\nagrees with the recommendation that the HITECH audit program represents an effective tool, no\n                                                                                   1\nmonies have been appropriated for OCR to maintain a permanent audit program.\n\nAudit Plan Development\nIn 2010, OCR contracted with Booz Allen Hamilton (BAH) to identify key issues that OCR\nwould need to address in the development and operation of an audit program and to recommend\n\n\n1\n    OCR used ARRA funds to support the audit activities described. The availability of these funds expired in\nDecember 2012.\n\n                                                            3\n\x0c                                                                                                                     Page 4 of6\n\n\n\n\nmodels for conducting audits. BAH reviewed existing audit programs and industry materials,\nand conducted interviews with industry experts. The BAH report addressed the phases of an\naudit program, from planning to reporting and follow-up, and identified a number of key issues\nand decisions that OCR would need to address prior to beginning audits.\n\nBased upon the model options and issues identified by BAH, OCR decided to pursue a pilot\naudit strategy, which included establishing the building blocks for an audit program, conducting\ncomprehensive audits in an iterative manner to leverage the experiences ofinitial audits to\nbenefit later audits, and contracting out the performance of the onsite audits. At the same time,\nOCR committed to an evaluation ofthe pilot audit experience.\n\nBuilding the Audit Program\n                                                                                       2\nPrior to conducting any audit, OCR needed to identify the universe of covered entities that\nwould be subject to audits and to develop an audit protocol. To identify covered entities, OCR\ncontracted with BAH to develop a comprehensive listing of covered entities from existing public\nand private data sources. To develop the protocol to use for audits of covered entities, OCR\ncontracted with KPMG. Both the listing ofcovered entities and the HIPAA audit protocol were\ncompleted in 2011.\n\nConducting Audits\nOCR decided that the most effective strategy to start the audit program was to contract for onsite\naudits to be performed by a single entity, and to first test the protocol on a small, diverse group\nofcovered entities with later expansion to a larger group ofcovered entities. OCR\'s goal was to\nidentify a baseline for covered entity compliance among a broad section of the HIPAA Privacy,\nSecurity, and Breach Notification standards while gaining the knowledge and experience in the\noperation ofan audit function.\n\nOCR selected 50 standards from across the three Rules for assessment. The focus in the audits\nwas to assess whether entities had sufficient policies, procedures, and infrastructure in place to\nmeet the HIPAA Rule requirements. Between December 20 II and March 2012, KPMG\nconducted 20 audits. Based upon the initial audit experience and use ofthe protocol, changes\nwere made to the protocol and to the audit process. KPMG then conducted a final 95 audits of\nvarious sizes and types ofcovered entities from April2012 to December 2012.\n\nOf the 115 audits conducted, 47 health plans, 61 health care providers, and 7 clearinghouses\nwere audited. The covered entities audited included a broad mix ofpublic and private entities,\nlocal, regional and national entities, and entities with both significant and minor health\ninformation technology adoption.\n\nThe audit results demonstrated several clear trends. Although Security Rule standards\nrepresented one quarter ofstandards assessed by KPMG, findings and observations for those\n\n\n\' Note that because final regulations for the compliance obligations of business associates were not yet In place,\nOCR focused on auditing covered entities in the pilot phase of the audit program.\n\n                                                         4\n\x0c                                                                                                    Page 5 of6\n\n\n\n\nstandards accounted for over halfof all findings and observations. In addition, although thirteen\nentities had no findings or observations, health care providers generally had greater compliance\ngaps than health plans and clearinghouses. Finally, small entities overall struggled in each\nassessment area- privacy, security and breach notification- while larger entities had\nproportionally fewer and more limited findings.\n\nEvaluation of the Pilot Audit Program\nFollowing the completion of audits by KPMG in 2012, OCR contracted with Price Waterhouse\nCoopers (PWC) to evaluate a variety of aspects ofthe pilot HIPAA audit program, including the\nselection of entities and standards, audit conclusions and work papers, and the operation and\nmanagement ofthe program by OCR. The evaluation will include a survey of all audited entities\nto assess the impact of the audits on the industry and covered entities individually. Final\nrecommendations will be made to OCR in the last quarter of2013.\n\nBased upon the findings and recommendations ofPWC\'s evaluation, OCR will make decisions\nabout a permanent audit program. Future decisions will include the strategy and process for\naudits of business associates and a development of program priorities. Future audits are less\nlikely to be broad assessments generally across the Rules and more likely to focus on key areas\nofconcern for OCR identified by new initiatives, enforcement concerns, and Departmental\npriorities.\n\n\n3) Implement sufficient controls, such as supervisory reviews and documentation retention\n   to ensure policies and procedures in Security Rule investigations are followed.\n\nOIG found that there were insufficient records ofthe documentation of complaint investigations\nand compliance reviews in the Compliance Data System (CDS) information system that OCR\nused to manage and store the documentation for the investigation ofHIPAA Security Rule\ncomplaints and compliance reviews. At the time of OIG\' s review, OCR operated two\ninformation systems to support and track investigations, as well as other official correspondence\nofthe agency. The Compliance Data System (CDS) was used to support the activities related to\nthe enforcement activities of the Security Rule. The Program Information Management System\n(PIMS) was used as the information system to support all of OCR\'s other administrative and\nenforcement activities. In 2012, OCR merged the data from CDS into PIMS to improve\nefficiency and assure that the documentation of Security Rule complaint investigations and\ncompliance reviews were accurate and complete. CDS has been decommissioned and PIMS now\nserves as the only information system to manage the documentation and case progression of\nOCR\' s activities to support the Security Rule.\n\nOCR made a significant upgrade to its PIMS information systems that implemented specific\nrequirements that ensure all cases have the appropriate documentation, including initiating and\nclosing documentation, and management review. Depending on the type of case, additional\ninformation may be required. Any case that is investigated will have a strategy in the case folder\nwhich is approved by management. Investigators on Security Rule cases have access to subject\nmatter experts with appropriate technical certifications for assistance in analyzing and evaluating\n\n                                                 5\n\x0c                                                                                                    Page 6 of6\n\n\n\n\ninformation security issues. Management reviews of case evidence, procedural documentation,\nand investigative procedures are recorded in PIMS for all closures.\n\n4) Implement the NIST Risk Management Framework for system used to oversee and\n   enforce the Security Rule.\n\nOIG found that information systems used by OCR for its oversight and enforcement data did not\nfully comply with the Federal cybersecurity requirements. Since the OIG review, OCR has taken\nsteps to assure its compliance with the HHS Standards for FISMA Inventory Management:\n    \xe2\x80\xa2 \t CDS has been decommissioned and all data has been merged into PIMS. All hardware\n        and software associated with CDS has been decommissioned in accordance with the\n        procedures ofthe hosting facility at NIH/CIT.\n    \xe2\x80\xa2 \t PIMS has been brought into compliance with the FISMA requirements for completing a\n        privacy impact assessment, risk analysis and system security plan. An authorization to\n        operate (ATO) PIMS was issued by the Department\'s ChiefInformation Officer and is\n        valid through January 2015.\n    \xe2\x80\xa2 \t Administrative and technical management ofthe Breach Notification System is the\n        responsibility of the Assistant Secretary for Public Affairs (ASPA). ASPA advises that\n        the system operates under an ATO granted for its managed network systems.\n\nOCR would be pleased to provide the documentation in support of these activities on request.\n\nThank you again for the opportunity to review the draft report. Please do not hesitate to contact\nme with any questions.\n\n\n\n\n                                                6\n\x0c'